WKD proper behavior on fetch error

Juergen Bruckner juergen at bruckner.email
Mon Jan 18 12:25:22 CET 2021

Hello André,

Am 18.01.21 um 00:03 schrieb André Colomb:
> On 17/01/2021 21.39, Juergen Bruckner via Gnupg-users wrote:
>> And as far as Sequoia is concerned, Stefen's explanations only confirmed
>> that this is software that I definitely don't want to use.
>> Software that accepts an invalid digital certificate as correct, has no
>> place in an environment where security and confidentiality are concerned.
>> This is an  a b s o l u t e  NO-GO.
> To be fair, it's not quite that bad.  Sequoia does recognize the invalid
> certificate as such, as Neal pointed out.  It just doesn't scream out
> loud about it.  Instead it goes on silently trying the direct method
> instead, for which everything is configured correctly in Stefan's setup.
> That is not following the current WKD draft correctly, as interpreted by
> the majority of those who spoke up IIRC.  But so far no scenario was
> brought up where it poses an obvious security risk.  More like hiding
> the problem from an admin trying to deliberately set up the advanced
> method and possibly ending up with some forgotten remains of the direct
> method having been used before.
> In my opinion, the WKD spec needs clear rules about cases when to switch
> to the direct method.  And making it hinge solely on proper DNS
> configuration is perfectly fine.  Having enough control over the domain
> is one more prerequisite (besides the CA stuff) which an impostor would
> need to get around.  After all, the corresponding web server is trusted
> to deliver the correct OpenPGP public key for authenticated communication.

Yes, I will be fair and say that Sequoia works okay so far.
And yes, it is good to hear from Neal that Sequoia actually recognizes 
this as an invalid certificate.
BUT, if a software claim to ensure secure communication, then this shown 
behavior is unacceptable to me, at least a reference to the invalid 
certificate should have to be shown.

Otherwise, the discussion now mainly revolves around the fact that 
Stefan still claims the certificate is valid and Sequoia continues 
because of this. (At least that's my understanding of Stefan's statements).

Best regards

/¯\   No  |
\ /  HTML |    Juergen Bruckner
  X    in  |    juergen at bruckner.email
/ \  Mail |

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3894 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210118/e5d87911/attachment-0001.bin>

More information about the Gnupg-users mailing list